[v5.15] KASAN: slab-out-of-bounds Read in dtSearch
0 views
Skip to first unread message
syzbot
Apr 28, 2024, 7:04:27 AMApr 28
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b925f60c6ee7 Linux 5.15.157
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=114980a7180000
kernel config: https://syzkaller.appspot.com/x/.config?x=802c8e49b2826f05
dashboard link: https://syzkaller.appspot.com/bug?extid=34599b3b01761282d2a5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/add896a77889/disk-b925f60c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e24f83a46999/vmlinux-b925f60c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de040a426c29/Image-b925f60c.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34599b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in dtCompare fs/jfs/jfs_dtree.c:3613 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x131c/0x1f34 fs/jfs/jfs_dtree.c:649
Read of size 1 at addr ffff0000e961b718 by task syz-executor.1/4541
CPU: 1 PID: 4541 Comm: syz-executor.1 Not tainted 5.15.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
dtCompare fs/jfs/jfs_dtree.c:3613 [inline]
dtSearch+0x131c/0x1f34 fs/jfs/jfs_dtree.c:649
jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459
__lookup_slow+0x250/0x388 fs/namei.c:1663
lookup_slow+0x60/0x84 fs/namei.c:1680
walk_component+0x394/0x4cc fs/namei.c:1976
link_path_walk+0x5a0/0xc38
path_lookupat+0x90/0x3d0 fs/namei.c:2454
do_o_path+0xa8/0x214 fs/namei.c:3713
path_openat+0x216c/0x26cc fs/namei.c:3735
do_filp_open+0x1a8/0x3b4 fs/namei.c:3769
do_sys_openat2+0x128/0x3d8 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1280
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 4541:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x74/0x3f4 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x1dc/0x45c mm/slub.c:3233
jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
alloc_inode fs/inode.c:236 [inline]
iget_locked+0x180/0x720 fs/inode.c:1244
jfs_iget+0x30/0x364 fs/jfs/inode.c:29
jfs_lookup+0x1e8/0x39c fs/jfs/namei.c:1467
__lookup_slow+0x250/0x388 fs/namei.c:1663
lookup_slow+0x60/0x84 fs/namei.c:1680
walk_component+0x394/0x4cc fs/namei.c:1976
lookup_last fs/namei.c:2431 [inline]
path_lookupat+0x13c/0x3d0 fs/namei.c:2455
filename_lookup+0x1c4/0x4c8 fs/namei.c:2484
user_path_at_empty+0x5c/0x1a4 fs/namei.c:2883
user_path_at include/linux/namei.h:57 [inline]
__do_sys_quotactl fs/quota/quota.c:946 [inline]
__se_sys_quotactl fs/quota/quota.c:915 [inline]
__arm64_sys_quotactl+0x190/0x7a4 fs/quota/quota.c:915
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000e961ae40
which belongs to the cache jfs_ip of size 2240
The buggy address is located 24 bytes to the right of
2240-byte region [ffff0000e961ae40, ffff0000e961b700)
The buggy address belongs to the page:
page:000000003ee8a52f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x129618
head:000000003ee8a52f order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff0000cafd8901
flags: 0x5ffe00000010200(slab|head|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000010200 0000000000000000 dead000000000122 ffff0000c61e0480
raw: 0000000000000000 00000000800d000d 00000001ffffffff ffff0000cafd8901
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e961b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e961b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e961b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000e961b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e961b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
ERROR: (device loop1): dtSearch: stack overrun!
ERROR: (device loop1): remounting filesystem as read-only
btstack dump:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
jfs_lookup: dtSearch returned -5
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b925f60c6ee7 Linux 5.15.157
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=114980a7180000
kernel config: https://syzkaller.appspot.com/x/.config?x=802c8e49b2826f05
dashboard link: https://syzkaller.appspot.com/bug?extid=34599b3b01761282d2a5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/add896a77889/disk-b925f60c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e24f83a46999/vmlinux-b925f60c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de040a426c29/Image-b925f60c.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34599b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in dtCompare fs/jfs/jfs_dtree.c:3613 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x131c/0x1f34 fs/jfs/jfs_dtree.c:649
Read of size 1 at addr ffff0000e961b718 by task syz-executor.1/4541
CPU: 1 PID: 4541 Comm: syz-executor.1 Not tainted 5.15.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
dtCompare fs/jfs/jfs_dtree.c:3613 [inline]
dtSearch+0x131c/0x1f34 fs/jfs/jfs_dtree.c:649
jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459
__lookup_slow+0x250/0x388 fs/namei.c:1663
lookup_slow+0x60/0x84 fs/namei.c:1680
walk_component+0x394/0x4cc fs/namei.c:1976
link_path_walk+0x5a0/0xc38
path_lookupat+0x90/0x3d0 fs/namei.c:2454
do_o_path+0xa8/0x214 fs/namei.c:3713
path_openat+0x216c/0x26cc fs/namei.c:3735
do_filp_open+0x1a8/0x3b4 fs/namei.c:3769
do_sys_openat2+0x128/0x3d8 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1280
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 4541:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x74/0x3f4 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x1dc/0x45c mm/slub.c:3233
jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
alloc_inode fs/inode.c:236 [inline]
iget_locked+0x180/0x720 fs/inode.c:1244
jfs_iget+0x30/0x364 fs/jfs/inode.c:29
jfs_lookup+0x1e8/0x39c fs/jfs/namei.c:1467
__lookup_slow+0x250/0x388 fs/namei.c:1663
lookup_slow+0x60/0x84 fs/namei.c:1680
walk_component+0x394/0x4cc fs/namei.c:1976
lookup_last fs/namei.c:2431 [inline]
path_lookupat+0x13c/0x3d0 fs/namei.c:2455
filename_lookup+0x1c4/0x4c8 fs/namei.c:2484
user_path_at_empty+0x5c/0x1a4 fs/namei.c:2883
user_path_at include/linux/namei.h:57 [inline]
__do_sys_quotactl fs/quota/quota.c:946 [inline]
__se_sys_quotactl fs/quota/quota.c:915 [inline]
__arm64_sys_quotactl+0x190/0x7a4 fs/quota/quota.c:915
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000e961ae40
which belongs to the cache jfs_ip of size 2240
The buggy address is located 24 bytes to the right of
2240-byte region [ffff0000e961ae40, ffff0000e961b700)
The buggy address belongs to the page:
page:000000003ee8a52f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x129618
head:000000003ee8a52f order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff0000cafd8901
flags: 0x5ffe00000010200(slab|head|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000010200 0000000000000000 dead000000000122 ffff0000c61e0480
raw: 0000000000000000 00000000800d000d 00000001ffffffff ffff0000cafd8901
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e961b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e961b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e961b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000e961b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e961b800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
ERROR: (device loop1): dtSearch: stack overrun!
ERROR: (device loop1): remounting filesystem as read-only
btstack dump:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
jfs_lookup: dtSearch returned -5
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 28, 2024, 7:40:27 AMApr 28
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: b925f60c6ee7 Linux 5.15.157
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10845c90980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117e97bb180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/add896a77889/disk-b925f60c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e24f83a46999/vmlinux-b925f60c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de040a426c29/Image-b925f60c.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/bdc1b55df2b5/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34599b...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
CPU: 1 PID: 3960 Comm: syz-executor784 Not tainted 5.15.157-syzkaller #0
Allocated by task 3960:
new_inode+0x38/0x174 fs/inode.c:966
ialloc+0x58/0x7c0 fs/jfs/jfs_inode.c:48
jfs_create+0x190/0xa1c fs/jfs/namei.c:92
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0xf18/0x26cc fs/namei.c:3739
head:000000005a924bd1 order:3 compound_mapcount:0 compound_pincount:0
raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
ffff0000de8b3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000de8b4000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff0000de8b4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000de8b4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop0): dtSearch: stack overrun!
ERROR: (device loop0): remounting filesystem as read-only
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: b925f60c6ee7 Linux 5.15.157
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=802c8e49b2826f05
dashboard link: https://syzkaller.appspot.com/bug?extid=34599b3b01761282d2a5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11002937180000
dashboard link: https://syzkaller.appspot.com/bug?extid=34599b3b01761282d2a5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117e97bb180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/add896a77889/disk-b925f60c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e24f83a46999/vmlinux-b925f60c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de040a426c29/Image-b925f60c.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34599b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in dtCompare fs/jfs/jfs_dtree.c:3613 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x131c/0x1f34 fs/jfs/jfs_dtree.c:649
Read of size 1 at addr ffff0000de8b4058 by task syz-executor784/3960
BUG: KASAN: slab-out-of-bounds in dtCompare fs/jfs/jfs_dtree.c:3613 [inline]
BUG: KASAN: slab-out-of-bounds in dtSearch+0x131c/0x1f34 fs/jfs/jfs_dtree.c:649
CPU: 1 PID: 3960 Comm: syz-executor784 Not tainted 5.15.157-syzkaller #0
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x74/0x3f4 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x1dc/0x45c mm/slub.c:3233
jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
alloc_inode fs/inode.c:236 [inline]
new_inode_pseudo+0x68/0x200 fs/inode.c:937
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x74/0x3f4 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x1dc/0x45c mm/slub.c:3233
jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
alloc_inode fs/inode.c:236 [inline]
new_inode+0x38/0x174 fs/inode.c:966
ialloc+0x58/0x7c0 fs/jfs/jfs_inode.c:48
jfs_create+0x190/0xa1c fs/jfs/namei.c:92
lookup_open fs/namei.c:3462 [inline]
open_last_lookups fs/namei.c:3532 [inline]
path_openat+0xf18/0x26cc fs/namei.c:3739
do_filp_open+0x1a8/0x3b4 fs/namei.c:3769
do_sys_openat2+0x128/0x3d8 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1280
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000de8b3780
do_sys_openat2+0x128/0x3d8 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1280
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
which belongs to the cache jfs_ip of size 2240
The buggy address is located 24 bytes to the right of
2240-byte region [ffff0000de8b3780, ffff0000de8b4040)
The buggy address is located 24 bytes to the right of
The buggy address belongs to the page:
page:000000005a924bd1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e8b0
head:000000005a924bd1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffe00000010200(slab|head|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000010200 0000000000000000 dead000000000122 ffff0000c61e5380
raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000de8b3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff0000de8b3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000de8b4000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
^
ffff0000de8b4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000de8b4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop0): dtSearch: stack overrun!
ERROR: (device loop0): remounting filesystem as read-only
btstack dump:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
jfs_lookup: dtSearch returned -5
---
If you want syzbot to run the reproducer, reply with:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
jfs_lookup: dtSearch returned -5
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages